The Inovis Blog

In my first blog post, I discussed the different heritages of Managed File Transfer and what each perspective teaches us about file transfer requirements.  But I skipped over the new kid on the block: managed file transfer through email. A couple of years ago, I read a survey asking corporate IT people what they used for file transfer. The most common answer was that they e-mailed files.  From personal observation, you could see this same behavior at home as well as in the office.

But now files, both business and personal, have grown much larger and much faster than my e‑mail  inbox (at work, my inbox is actually smaller and more strictly managed than it was two years ago).  There was already a security concern for e-mailing files around since e-mails are more like postcards than letters in envelopes and anybody on the Internet who sees the letter fly by can read it. But we continued to use e-mail anyway so long as it continued to work, mainly because it was just so darned easy.  So now we have gotten to the point where e-mail doesn’t work so well for file transfer, and while this makes the security guys happy, what are the rest of us supposed to do?

Image Source: http://www.library.illinois.edu

Enter another set of Managed File Transfer solutions to the rescue, mostly in a category we can call E-Mail Attachment Management. These solutions are either plug-ins to e-mail clients that send your attachments through the web and send your e-mail through the e-mail system, or may be a little website where you can post a file and receive in return a link to paste into your e-mail or instant messenger client. Like the heritages of Managed File Transfer that I discussed in my first post, this evolution of file transfer solutions for e-mail also teaches us something important about Managed File Transfer.

The lesson is this: MFT principles apply to people participating in an unstructured business process as much as to applications and systems exchanging files as part of a highly structured and controlled process.  In my previous post, the heritage solutions grew out of a set of problems  related to interconnecting systems, but e-mail grew up connecting people and probably still reigns as the king of collaborative technologies.  But people are people, so the “simple” process of moving a file between two people is actually much more complicated than it seems.  I think this is part of what John W. Thompson was getting at in his RSA 2007 Keynote (is it already two years ago?) when he said “people are the new perimeter.”

I like to think of an MFT transaction as having a life-cycle governed by a mini-workflow.  Even a simple connection might have loops and timers for renaming files after transmission, short-term archiving, and retransmission.  But when people get involved, all the best practices and governance applied to e-mail systems is understood to apply to file transfer as well: scanning for PCI or HIPAA-related content, virus scanning, interfacing with long-term archiving and e-Discovery systems, variable retention periods, controls on encryption, and so on.  We don’t necessarily know what the structure of the business process context is so we have to make some guesses.  It’s much more heuristic and the security problems are thornier.

So you can’t get away with thinking only of how to transfer files; you need to contemplate the entire business process, collaborative or structured, with a clear understanding of the broader set of policies that apply to it, and then adopt a file transfer solution that best accommodates this process.